Personally Identifiable Information (PII), is information about a person that uniquely identifies an individual, such information includes; an individual’s name, social security number, biometric records, medical records, financial information, passports, date and place of birth, educational information, employment information, (Radack, 2010) and parental information (for example: mother’s maiden name. (GSA, 2015) (Rouse, 2014)
The examples of PII listed above is what is known as sensitive personally identifiable information and due to the level of sensitivity, all information should be encrypted when not in use. Non-sensitive personally identifiable information is information that can be transferred without the consequences of harming an individual. Examples of non-PII would include information that can be gathered from websites, phonebooks, or public records. Rouse, 2014) PII cannot be tied down to any one category of information or technology.
Instead, it depends on a case-by-case evaluation of a specific risk in which an individual can be identified. Anyone with information, should realize that non personally identifiable information can become sensitive PII if exploited in any manner with other information that may not be considered PII and therefore become information that is used to identify an individual. GSA, 2015) If PII were to get exposed it could lead to considerable harm, embarrassment, identity theft, or other fraudulent misuse of the information leaked. Information systems raise new ethical problems. When pertaining to ethics it is defined as the principles of right and wrong that individuals, acting as free moral agents, use to make choices to guide their behaviors. Prentice Hall states, “This is truer today than ever due to the challenges posed by the Internet and electronic commerce to the protection of privacy and intellectual property.
Along with this there are more ethical issues that are raised by the broad use of information systems, which include establishment of accountability pertaining to the consequences of information systems, establishing a thorough defense system which protects individuals, and securing values considered essential to the quality of life in an information society. Any business or large company, should be trained on being able to effectively deal with any issues. Firm technologies have made clear ways to assemble, integrate, and distribute information in the protection of personally identifiable information.
Examples of these are; if you work in a career field such as finance or accounting, ensure that the information systems used are protected from computer fraud and abuse. In the field of human resources, developing and enforcing an ethics policy and providing special training to sensitize workers to new ethical issues that pertain to information systems. In the information systems field, the insurance of making management aware of the ethical implications of the technologies used and advising management on the establishments of a code of ethics for information systems is imperative.
Career fields such as manufacturing, production, or operations management, data quality and software problems that could disrupt the flow of information among manufacturing, production systems, and supply chain partners is what you will be dealing with. The sales and marketing career field will need to harmonize systems that gather and analyze customer data privacy. (Hall, N. D. ) There are many ways that individuals can be affected as well as prosecuted from the exposure of PII.
The most current federal law defines identity theft as, “A federal crime when someone knowingly transfers, possesses, or uses, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, or in connection with, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable State or local law. ” (Finklea, 2014) When talking about identity fraud it refers to a number of crimes involving the use of false identification, though not necessarily another identification.
Identity theft is a specific form of identity fraud involving the use of someone else’s personally identifiable information. Both crimes are often committed in connection with other violations. Identity theft, on the other hand, may directly affect the life of the someone whose identity was stolen. (Finklea, 2014) In 1974 the Privacy Act amended a list of criminal penalties, an individual shall be guilty of a misdemeanor and fined no more than $5,000 when in the possession of, or has access to agency records that contain PII and knowing disclose specific material to anyone not permitted to receive it.
Anyone who willfully maintains a records system, and does not meet the requirements in subsection (e)(4) of the Privacy Act or requests or obtains any record of an individual under false pretenses shall be guilty of a misdemeanor and fined no more than $5,000. (GSA, 2015) Pertaining the distribution of PII there are three main ways in which it can happen, cyber-attack, an insider threat, and a careless insider. A cyber-attack is mainly targeted to healthcare organizations and be done by anyone. (NEED MORE INFORMATION ON) Constantly changing passwords is a good tip in the prevention of cyber-attack.
Insider threats most likely happen when an organization has someone who becomes upset with how things are going on. (NEED MORE INFORMATION ON) Ensuring employees have limited access to certain levels of information as well as being able to terminate access immediately if needed and being able to change passwords when an employee leaves can help to prevent this specific threat. A careless insider threat, basically states that an individual exposed PII unintentionally by maybe leaving their phone in a taxi or even someone stealing a device with PII on it.
By ensuring anyone with PII access to use strong passwords on all the devices used and educating on the importance of encrypting sensitive information can prevent the accidentally leak of PII. (Stucky, 2016) When information is leaked it is what is known as data breach, GSA defines data breach as the, “loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any situation where an individual other than authorized users with an authorized purpose have access or potential access to PII, whether physical or electronical. (GSA, 2015)
The Identify Theft Resource Center currently monitor seven different categories of data loss methods: insider theft, hacking, data on the move, subcontractor/third party, employee error/negligence, accidental web/Internet exposure, physical theft. Along of monitoring data loss methods the ITRC tracks four types of information that are more commonly compromised, social security numbers, credit/debit card numbers, email/password/user names, and protected health information. (ITRC, N. D. ) If you know what to look for it can help in the prevention of PII exposure.
When you are on an electronic device always remember to never download from an untrusted location in not doing so you can be tricked into installing a malicious software. Other ways to prevent the installation of malicious software are to, always look at the name of the file before downloading, stay away from torrents, sites with adult content, and movie streaming sites, and lastly always scan before installing. Always keep in mind that hackers are able to alternate the operating system, so ensure to have an up to date anti-virus scanner.
When leaving your computer exposed to physical access it is recommended to lock down the entire computer station before leaving. (University of California Santa Cruz, 2015) If you have a computer in a company location, make sure that you limit the admin access and install scanners to prevent employee initiated breaches. If you have sensitive information lying around it is best to lock away all important documents and to shred any papers that contain PII that are no longer needed. Use cryptic passwords as well as different passwords for accounts, try to do passwords resets whenever possible and never use the same password twice.
University of California Santa Cruz, 2015) Other ways that companies use to inform their employees in the risks and importance of PII is requiring their employees and contractors to complete trainings such as the “IT Security Awareness and Privacy Training 101 (GSA, 2015) A new data analysis technology that is coming forward to help prevent attacks on PII is the nonobvious relationships awareness (NORA), which can take information about individual from many sources and coordinates relationships to find hidden connections that can aid criminals or terrorists.
NORA technology does so by scanning data and extracting information as the data are being generated so that it could, for example, instantly discover a man at an airline ticket counter who shares a phone number with a known terrorist. (Hall, p. N. D. ) In summary minimize the use, collection, and retention of PII to what is necessary for business purposes, and categorize al PII by confidentiality impact level. Radack, 2010) Personally Identifiable Information whether sensitive or non-sensitive is the foundation of an individual and when exposed can ruin the individual targeted, no one person should have to deal with having their entire identity being exposed to someone without their consent. It is punishable by law and should be restricted to the individual in which it pertains.
